The ISO 27001 standard, a global benchmark in information security management systems (ISMS), has undergone a pivotal transformation with its 2022 revision. This update reflects the dynamic nature of information security, encompassing emerging threats, regulatory changes, and technological advancements.

In this blog post, we will succinctly explore the key changes in the ISO 27001:2022 update, elucidating their implications on an organisation's ISMS. It is essential for organisations to understand and adapt to these changes to strengthen security and maintain compliance.

Recognising the complexities involved in transitioning, we will also provide a clear overview of the timelines for adoption, empowering stakeholders to strategise and allocate resources efficiently.

Equipped with insights from this blog, you will be poised to navigate the evolving information security environment with confidence. Join us as we unravel the ISO 27001:2022 update and guide you toward fortified information security governance.

Summary of Changes Between ISO 27001: 2013 and 27001: 2022

While ISO 27001:2013 Clauses 4 to 10 have minor wording updates for clarity, the most significant alterations are seen in the Annex A security controls. The controls have been grouped into four main domains from the previous 14, and tagged for more straightforward reference and use. The number of controls has been reduced from 114 to 93, with 11 new controls introduced. These new controls cover a wide range of areas, including physical security monitoring, threat intelligence, configuration management, and more..

Schedule of Changes

• ISO 27001 Revision: The revision to ISO 27001, which contains security control guidance, was published on February 15, 2022.
• ISO 27001 Amendment: An amendment to ISO 27001, the main standard for Information Security Management Systems (ISMS), is expected to be published later in 2022.

Consequences of the Updates

Upon the introduction of the updated standard, organisations are allotted a specific timeframe to adapt and align their practices for continued compliance. Transitioning to the new standard is pivotal for the retention of certification. The incorporation of novel controls, amalgamation, and revisions of existing ones echo contemporary security methodologies including, but not limited to, threat intelligence, cloud technologies, data obfuscation, web content filtering, secure development practices, and Data Loss Prevention (DLP).

The re-organisation of Annex A controls is more than a formality. Organisations that linked heavily to the previous 14 domain areas will experience a shift in control perspectives. Moreover, the update to the Statement of Applicability and the common control framework mappings will require organisations to address new additions and updates.

The 2022 revision of ISO/IEC 27001 introduces the distinction between primary and supporting assets, replacing the term "Information Assets." Organisations may need to address potential ambiguity arising from this change and evaluate its implications on their governance framework. Furthermore, the updated clauses now require an inventory of information and associated assets. Organisations are advised to promptly initiate a data mapping exercise to comply with this mandate.

Transition Period

The ISO 27001:2022 edition encompasses substantial alterations. Organisations holding current certifications will be granted a three-year transition window commencing upon the official update and publication of ISO 27001. Notwithstanding, organisations are encouraged to proactively align with the new standard by referencing the published ISO 27001:2022.

Summary

Comprehending the modifications introduced in ISO 27001:2022 is imperative for organisations striving to sustain compliance and fortify their information security management systems. Should you require expert assistance in navigating and effectively integrating these changes into your organisation's processes and governance structure, please do not hesitate to reach out to us for specialised guidance and support.